Operating System - HP-UX
1748073 Members
5265 Online
108758 Solutions
New Discussion юеВ

Action after a failed hack attempt

 
SOLVED
Go to solution
Steven E. Protter
Exalted Contributor

Re: Action after a failed hack attempt

I have a modified version of the one that Bastille installs.

It makes it quite clear in English that the attempt is unwelcome. It warns I will request compensation, which I have done.

Truck needs a new muffler. Maybe they'll pay.

I've pretty much done everything a competant admin should do. The attempts show tries for root, admin guest, things like that. I don't think the OS has been ascertained.

After the firewall change is validated that IP won't be coming in any more.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: Action after a failed hack attempt

Don't let the bunny fool you.

There are still two more bunnies available.

block in log quick from 210.159.198.1 to any group 100

Is this valid in the ipfilter firewall. This machine is exposed directly on the net.

How do i get a status on firewall rules on ipfilter. I am barely competant on this firewall and pray for the day that HP ports iptables from Linux.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Sundar_7
Honored Contributor

Re: Action after a failed hack attempt

Here is one more interesting site SEP.

http://centralops.net/co/

It has number of online tools for you to dig in to the details.

Wow, is it like anybody can directly telnet to your D320 ?
Learn What to do ,How to do and more importantly When to do ?
Steven E. Protter
Exalted Contributor

Re: Action after a failed hack attempt

telnet is disabled and blocked from outside with /var/adm/ientd.sec

The attack is with ssh, which I allow so I can remotely manage the server. I travel a lot so limiting the input range is a pain.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Geoff Wild
Honored Contributor

Re: Action after a failed hack attempt

Steven,

Just to let you know, I got "IPTables log analyzer" - very nice - had to massage a few things...

Sample:

Chain Date Host [HIDE] Interf. [HIDE] Proto. Src IP Dest IP [HIDE] Dest. port
DROPINPUT 2004-09-02 12:49:53 myserver eth0 TCP eclipse.4d.net myserver.mydomain.ca 113(ident)

All in a php web page to a myqsl db.

To block input:

$IPT -A INPUT -p ALL -s 210.159.198.0/24 -j DROP

Let me know if you want help with the analyzer...


Saw this as well:

http://perlmonks.thepen.com/305787.html

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Steven E. Protter
Exalted Contributor

Re: Action after a failed hack attempt

Goeff, We can't use iptables on HP-UX.

Unless there is something I'm missing.

My Linux machines picked up the probe, modified the iptables database and blocked the IP address two weeks ago when the probing began.

A little invention of mine, the self modifying spam defeating iptables firewall toolkit.

If iptables has been ported to HP-UX, let me know where I can get it.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Geoff Wild
Honored Contributor

Re: Action after a failed hack attempt

Ah, I see....

HP does have something similar...Ipfilter

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B9901AA

It also comes with Bastille - I think.

But I see you already have that installed....

I thought your HP box was behind the Linux firewall - and you just had ssh open through it...

That might be a way to do this - actuallly setup the D320 behind the Linux box...

Rgds...Geoff


Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Steven E. Protter
Exalted Contributor

Re: Action after a failed hack attempt

Block command for ipfilter is as follows:

block in proto tcp from nto any port =22

I am re-openning this thread. That is becasue there have been developments.

I have developed a utility called monbad. It is attached. It runs a very simple loop. It counts the lines in the output of the lastb -R command once a second.

If there is count discrepency it does a few things. First it shuts down the sshd daemon so no further login attempts can occur while the stop.ssh.threat script runs. That second script will be in a post immediately following this post.

The code seems efficient, but I need a little help with it.

If there is a more efficient way of detected a bad login immediately, I want to know it.

I'd also like a strategy on how to make this a startup daemon. I want to make sure one and only one copy of this script is running on the box at all times.

I can run HIDS on this box but its old and slow and i'm concerned about he overhead. Plus this little honey has stopped the script kiddies from locking my root password. Thus far in its current form nobody's gotten more than two login attempts and none of them has been root yet.

See next post for continuation.
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: Action after a failed hack attempt

Attachment is monbad. He calls stop.ssh.threat when necessary. the threat script updates the ipfilter firewall. The ip address is obtained from the syslog.log file

There are probably some ancillary questions,which I'll try and answer now:

1) Why is the box on the Internet? Because I want to learn how to protect a box with low resources in a hostile environment. This box is incredibly reliable and can take over ip addresses should my Linux web servers fail. If I ever build my business to the point where it can support it, I'd like to migrate to HP-UX servers for the whole thing using mirror/ux and serviceguard. For now the box helps me learn and backstop.

2) Why not HIDS? Resource concerns?

3) Why is ssh port open at all? Its supposed to be secure. To date nobody has even come close to hacking the box. I need to access this box no matter where I go in the world. My most precious possesion, a website that will hopefully help my wife's career runs on this box. I feel its reasonable to maintain ssh access on front line firewall type boxes.

5) Why not a firewall appliance or appliances that forward? Same issue, someone is still locking my root password and these devices don't work well with my T1, which is provided by Covad. Don't really want to discuss the Internet setup, I really can't afford to buy any more hardware right now.

6) What does it take to get a bunny besides a smile? Translation: What do I want.

I am far inferior as a coder to the likes of A. Clay Stephenson or Sridar Bhaskarla . I'm just amazed on a day to day basis what they can post on a moments notice. There are lots of you like these two fine individuals.

I am proud of this code, because its some of the better code I have produced. I would like to improve it if possible and I'd like to see what I can do to make it a daemon.

Bunny will be handed out for reasonable improvements that test out and that means work as well as this guy which is 100% of the time. Step by step to have a startup script (know how to do that) run this guy as a daemon, one copy running at all times.

itrc formumers, start your engines.

I know this will take some time, and the turnaround will be slow when I test code fixes.

Thanks In Adance.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Sridhar Bhaskarla
Honored Contributor

Re: Action after a failed hack attempt

SEP,

You made me feel guilty by calling me a good scripter. I am not. If my appadmin wants me to write a script for the application, I politely refuse because I would be last one to see my system slowing down. I mostly write scripts to merely ease my sysadmin laborious jobs rather than to be used in production on a daily basis. There are really quality scripting/coding people here that everyone knows of. But I do appreciate your kind words though.

Coming back to your original question, you have couple of options..

1. Use DenyUsers feature of sshd_config to deny all except you.
2. Setup /etc/hosts.allow and hosts.deny files. You can setup userbased authentication so you only can login yourself.
3. Have your root disabled by default. However, install SUDO and allow only access to yourself to run 'sudo'. sudo will work even if the root account is disabled.
4. Since 'ssh' exploits are widely known, I suggest you compile ssh yourself and update it as soon as an exploit is announced.


To have your script running all the time, keep your script in /usr/contrib/bin (your standard directory) and run it through another script in /sbin/init.d. For ex., your /sbin/init.d/monbad.sh may look like this

case $1 in

'start')
nohup /usr/contrib/bin/monbad.sh start > /tmp/somelogfile 2>&1 &
;;
'stop')
nohup /usr/contrib/bin/monbad.sh stop > /tmp/somelogfile 2>&1 &
;;
*) echo "Usage: $0: start|stop"
;;
esac

Add start_msg, stop_msg etc., checks.

You can get the bad IP from 'lastb -R' itself.

Some thoughts.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try